The Five Ws of REGIN

“In the world of malware threats, only a few rare examples can truly be considered GROUNDBREAKING and almost PEERLESS,” – Symantec.

With all the recent hype surrounding Regin, we have scoured the net and broken down the five W’s of Regin below:

WHO:

The highly complex and sophisticated makeup of Regin, as well as its extensive espionage capabilities, suggests that it was developed by a nation-state, the Guardian reports. Although attribution in the cyber realm is difficult, speculation as to the source of the Regin malware point to the United States’ National Security Agency (“NSA”) and the United Kingdom’s Government Communications Headquarters (“GCHQ”), Wired reported. Sources cite to circumstantial evidence to link both the NSA and GCHQ to Regin. First, reports suggest that the Regin malware is eerily similar to an attack that occurred in 2010 on Belgium’s Belgacom, a phone and internet service provider, which allowed the attacker to gather data on the company’s network, as well as customer information, and was attributed to GCHQ. Second, sources cite to reports leaked by Edward Snowden describing two NSA operations targeting the mobile networks of several nations and designed to gather, record and store metadata on every mobile phone call to and from these nations. Accordingly, reports have linked the NSA to Regin because of the staggering amount of victims that have been identified by Symantec as telecom networks. Third, there have been no reports identifying victims in either the U.K. or the U.S., further inciting speculation that Regin is a product of both nations, reports the Guardian.

WHAT:

Regin is a back door-type Trojan malware with a degree of technical competence rarely seen. It has the ability to load custom features tailored to individual targets. In fact, according to Symantec, some of Regin’s custom payloads point to a high level of specialist knowledge in particular sectors on the part of the developers. Symantec’s report also notes that Regin is capable of installing a large number of additional payloads, some highly customized for the targeted computer. Symantec listed some of Regin’s payload capabilities: steal passwords, monitor network traffic, gather information on processes and memory utilization, and retrieve deleted files. Symantec also noted some advanced payload modules designed with specific goals which have included: monitor network traffic to Microsoft Internet Information Services (IIS) web servers, collect administration traffic for mobile telephony base station controllers, and parsing mail from Exchange databases. But perhaps the most significant aspect of Regin is its ability to target GSM base stations of cellular networks. Wired reports that access to GSM base station controllers would allow manipulation of the system, including the monitoring of cellular traffic. Wired adds that this capability includes the ability to shut down a cellular network, for example during an invasion for the country or other unrest. This fear is not just conceptual, Kaspersky reports that in 2008 Regin was used to steal the usernames and passwords of system administrators of a telecom somewhere in the Middle East.

WHEN:

Symantec is aware of two distinct versions of Regin: version 1.0 appears to have been used from at least 2008 to 2011, when it was abruptly withdrawn and version 2.0 has been used from 2013 onwards. It is important to note that most of the information out there on Regin, according to Symantec, is based on an analysis of the Region 1.0 version. Security reports have only recovered 64-bit files from the version 2.0. Additionally, there may be versions prior to 1.0 and versions between 1.0 and 2.0.

WHERE:

According to Symantec, Regin has infected networks in ten countries spanning across ten different regions, and has been found in the networks of private companies, research institutes, government agencies, organizations, and even academics. Kaspersky also identified financial institutions and multinational political bodies as victims. It is important to note that 28% of victims were identified as telecoms networks which still rely on communications protocols that have little to no security available for the user, according to Kaspersky.

Symantec found that Russia and Saudi Arabia have been affected the most where 28% and 24% of victims are located respectively. Additionally, nine percent of victims were found to reside in Ireland and Mexico, Symantec reported. The report goes on to say that Pakistan, Austria, Belgium, Iran, Afghanistan and India each have five percent of the victims. In addition to the countries identified by Symantec, Kaspersky identified victims in Algeria, Brazil, Germany, Indonesia, Malaysia, Syria, Fiji and Kiribati. It is highly unusual that victims were found in Fiji and Kiribati considering that they are both small island nations where such advanced malware is rarely found, according to Kaspersky.

WHY:

Regin’s main purpose is intelligence gathering and it has been implicated in data collection operations against government organizations, infrastructure operators, businesses, academics, and private individuals. According to Symantec, Regin is different to what are commonly referred to as “traditional” advanced persistent threats (APTs), both in its techniques and ultimate purposes. APTs typically seek specific information, usually intellectual property. Regin, on the other hand, is used for the collection of data and continuous monitoring of targeted organizations or individuals.

For more information, including the “How” of Regin, read the full reports here: Symantec and Kaspersky. [PDFs of Full Reports are available on websites linked].

Professor William Snyder

Ryan D. White

Ryan is currently a third year law student at Syracuse University College of Law, and is also pursuing a Master of Public Administration degree from Syracuse’s Maxwell School of Citizenship and Public Affairs. Ryan spent time with Homeland Security Investigations while pursuing his undergraduate degree at Wesleyan University, and spent his first summer of law school as clerk for the U.S. Attorney’s Office in the Western District of New York. He is a member of Syracuse Law Review, the Journal on Terrorism and Security Analysis, and participates in the Veteran’s Legal Clinic.

Christopher W. Folk

is a 2017 graduate of SU College of Law. A non-traditional student, Christopher returned to academia after spending nearly twenty years in the high tech industry. Christopher served in the Marine Corps, graduated from Cornell University with a B.S. In Applied Economics and Business Management, attended Northeastern University’s High-Tech MBA Program and received a M.S. In Computer Information Systems. Christopher previously worked in Software Engineering. Christopher is currently serving his second term as Town Justice for the Town of Waterloo. Christopher externed with a Cybersecurity firm in the Washington, D.C. area between his first and second year at SU College of Law.

Anna Maria Castillo

is 2016 graduate of Syracuse College of Law. She also holds a Master of Arts in International Relations from Syracuse University's Maxwell School of Citizenship and Public Affairs. She has interned at a London-based think-tank that specializes in transnational terrorism and global security and at the legal department of a defense contractor. She served as an executive editor in the Syracuse Law Review.

Jennifer A. Camillo

is a 2015 graduate of Syracuse College of Law and is a prosecutor. She has served as a law clerk in the United States Attorney’s Office for the Northern District of New York and the Cayuga County District Attorney’s Office and as an extern in the Oneida County District Attorney’s Office. She was a member of the Syracuse National Trial Team and was awarded the Tiffany Cup by the New York Bar Association for her trial advocacy achievements.

Tara J. Pistorese

holds Juris Doctor and Masters of Public Administration degrees from Syracuse University's Maxwell School of Citizenship and Public Affairs and its College of Law. She wrote for this blog when a student. She is now a member of the U.S. Army Judge Advocate General's Corps.

Benjamin Zaiser

is both a scholar and a Federal Agent of the Federal Criminal Police Office of Germany. (Opinions expressed here are his own and not any part of official duty.)